53822f68778ff63122f547d53a6760ba2c28854cfe224c252fbfe8f62a871a81

General

Target

65d185edcf83123115ebbdf954f2b3d7_JaffaCakes118.html
Size

213KB
MD5

65d185edcf83123115ebbdf954f2b3d7
SHA1

7735bcec42c8bb3e4dc8cc19ede1d6e3d7592dc6
SHA256

53822f68778ff63122f547d53a6760ba2c28854cfe224c252fbfe8f62a871a81
SHA512

36ade891dfb2a0fac84f35109650f1d0ce5e243eb9b660f4d3d7b1bc9ec5d9c6b07f9cb9169a570ddab4e9d1ff2f7afe892e41e1acd31a9a901d1405f4c2a07b
SSDEEP

3072:Sggkz47ee8zyfkMY+BES09JXAnyrZalI+YQ:SgmsWsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

872 msedge.exe
872 msedge.exe
1112 msedge.exe
1112 msedge.exe
4532 msedge.exe
4532 msedge.exe
4532 msedge.exe
4532 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1112 msedge.exe
1112 msedge.exe

pid	process
872	msedge.exe
872	msedge.exe
1112	msedge.exe
1112	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1112 wrote to memory of 2328	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 2328	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3740	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 872	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 872	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3356	1112	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65d185edcf83123115ebbdf954f2b3d7_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff28d446f8,0x7fff28d44708,0x7fff28d44718
2⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11725691385840481996,14288458603007966444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
2⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11725691385840481996,14288458603007966444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,11725691385840481996,14288458603007966444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
2⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11725691385840481996,14288458603007966444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11725691385840481996,14288458603007966444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11725691385840481996,14288458603007966444,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
177ccf99ddb873996f1c28815167d853

SHA1
dd4053cf8b2f34716ebd963d2b0380084bb91a28

SHA256
eb17359452ea6952be71df637dd72670a62ef79096398f4fca9c51e14aabbd7d

SHA512
690bb6caabe49b4ea6036ed4cb91bc047193218db0054b1aed86073bb607d4f248f62db3f0a4af3fa856d453a0f7308e5bf9f2a3963b75bfa4af1774fbf5069b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67ca413f3c3f149f6354cda54ff82d7c

SHA1
1ca63c08cb8eaf659d1cb0f39a19353b147929fe

SHA256
d6516bf2f7b91646d60a757090f3eb446d34d68f7efac8135da0aa3b876ebdf8

SHA512
1ced4369995cf258b7f668b0fcabb9125958578ec8a8d51a45689223da0d41d791b59a2532369f67257b728a2f1a39b1e04f47555f1e1388a408cb249fac2ba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
99e7820016c25117d5089c1857c130e9

SHA1
c3dbdcdf5d2b1dd0b7d22338674f32e438ad5652

SHA256
453dec3706872579f8f692aec22d5f73fc9ae8e8ea0c620adcc9698e2da5ebfc

SHA512
ab9b148cb21f85e99d928e4d4055444dbea1ae2e2cd821135752afba5a4a981330d6eb387a1eafac1bb6b46de8a3c97983a12100e04ef642283dd1bf7852ddc1

Download Submit
\??\pipe\LOCAL\crashpad_1112_FDKLBNTWEGUJSDHU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads